Hello Mark,
thanks a lot for this exhaustive explanation.
t's clear why you've decided to use RPM5 and really weird that RPM4 people
do not accept proposals from the project.
Seems like you are getting rid of RPM4 in upcoming release os I can't stick
to it as it will be painful to migrate.
I will
On 4/18/16 6:54 AM, Dmytro Milinevskyy wrote:
> Hi,
>
> I've found the culprit.
> RPM5 does package auto-signing. Itself it's not a big deal but the problem is
> that it also considers that package is valid if the pubkey is present in the
> RPM
> header.
> This is an extremely severe security
Hi,
I've found the culprit.
RPM5 does package auto-signing. Itself it's not a big deal but the problem
is that it also considers that package is valid if the pubkey is present in
the RPM header.
This is an extremely severe security issue - any "signed" package can be
installed on the target even
Hello,
currently I'm trying to enforce rpm signature verification on the target
device and get weird bogus signature of the RPM packages when the signature
is not enabled in the configuration.
The main issue that this signature is considered as valid by the RPM 5.4.14
which is used by Yocto. And